Role of Risk Management Committee in Cyber Security

One of the biggest risks that is confronting companies is the risk relating to the inadequacy of cyber security. It is much more than an IT issue. It is an enterprise level risk management issue. With Work-From-Home being the norm at present, and a rise in number of data breaches, this has become a permanent item on the agendas of Risk Management Committees (RMCs) of forward-looking companies. A cyber security breach/ attack has the potential of compromising the data and servers of a company, thereby adversely impacting its business. It also could result in severe reputational and legal consequences for the company.

As per SEBI LODR Regulation, 2015, RMC has to be responsible for monitoring and reviewing activities relating to cyber security. Since most of the RMC members are not cyber experts, it is important for top managements to ensure that they have experts in their team, or can access outside expertise, to take care of cyber security related aspects. RMC members however must have an oversight on cyber security. Given the importance of cyber security, it should be on the agenda of the RMC at every quarterly meeting. In the absence of an RMC, the Audit Committee (AC) should perform this function.

Some possible questions relating to cyber security, that RMC members should ask are, -

  • Is there a senior person, with relevant experience, responsible for ensuring cyber security within the company?
  • Does the company have a cyber security strategy?
  • Are there necessary safeguards in place to prevent cyber attacks?
  • Are these measures being followed?
  • Does Internal Audit review controls relating to cyber security?
  • Does the company have cyber insurance?
  • If so, is it adequate having regard to increase in the number and type of threats?
  • Has the company considered seeking an external assurance on the adequacy of its efforts?
  • If has been an attempt at cyber attack, which has been blocked, has it been brought to the notice of the RMC?

All cyber security issues cannot be anticipated, and planned for. This gives rise to a continuing requirement of not lowering one’s guard and being on the alert all the time.

 

Divyani Garg